Input validation error in PostgreSQL - CVE-2007-3279
Published: October 16, 2018 / Updated: June 23, 2025
Vulnerability identifier: #VU111780
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2007-3279
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PostgreSQL Global Development Group
Affected software:
PostgreSQL
PostgreSQL
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
PostgreSQL 8.1 and probably later versions, when the PL/pgSQL (plpgsql) language has been created, grants certain plpgsql privileges to the PUBLIC domain, which allows remote attackers to create and execute functions, as demonstrated by functions that perform local brute-force password guessing attacks, which may evade intrusion detection.
How to mitigate CVE-2007-3279
Install update from vendor's website.
Sources
- http://osvdb.org/40900
- http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:188
- http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf
- http://www.securityfocus.com/archive/1/471541/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35144